Also detect vulnerabilities with no fixed version

openrewrite · Aug 27, 2024 · d9770cc · d9770cc
1 parent fae2e8e
commit d9770cc
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 6 deletions.
diff --git a/src/main/java/org/openrewrite/csharp/dependencies/DependencyVulnerabilityCheck.java b/src/main/java/org/openrewrite/csharp/dependencies/DependencyVulnerabilityCheck.java
@@ -146,9 +146,15 @@ public TreeVisitor<?, ExecutionContext> getScanner(Accumulator acc) {
     private static final Comparator<Version> vc = new StaticVersionComparator();
 
     private boolean isVulnerable(String dependencyVersion, Vulnerability v) {
-        return vc.compare(
-                versionParser.transform(dependencyVersion),
-                versionParser.transform(v.getFixedVersion())) < 0;
+        Version actual = versionParser.transform(dependencyVersion);
+        if (vc.compare(actual, versionParser.transform(v.getIntroducedVersion())) < 0) {
+            return false;
+        }
+        String fixedVersion = v.getFixedVersion();
+        if (StringUtils.isBlank(fixedVersion)) {
+            return true;
+        }
+        return vc.compare(actual, versionParser.transform(fixedVersion)) < 0;
     }
 
     private static final LatestPatch latestPatch = new LatestPatch(null);
@@ -168,9 +174,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor(Accumulator acc) {
             String dependencyVersion = ref.getVersion();
             Map<Boolean, List<Vulnerability>> vulnerabilities = acc.vulnerabilities
                     .getOrDefault(new Accumulator.NameVersion(ref.getInclude(), ref.getVersion()), emptySet())
-                    .stream()
-                    .filter(v -> StringUtils.isBlank(v.getFixedVersion()) || isVulnerable(dependencyVersion, v))
-                    .collect(partitioningBy(v -> isFixWithPatchVersionUpdateOnly(dependencyVersion, v)));
+                    .stream().collect(partitioningBy(v -> isFixWithPatchVersionUpdateOnly(dependencyVersion, v)));
 
             // Bump to highest fixed patch version
             String highestFixedPatchVersion = vulnerabilities.get(true).stream()

diff --git a/src/test/java/org/openrewrite/csharp/dependencies/DependencyVulnerabilityCheckTest.java b/src/test/java/org/openrewrite/csharp/dependencies/DependencyVulnerabilityCheckTest.java
@@ -133,4 +133,76 @@ void upgradePackageWithMultipleVulnerablePatchVersions() {
           )
         );
     }
+
+    @Test
+    void vulnerableWithNoFixedVersion() {
+        rewriteRun(
+          spec -> spec.recipe(new DependencyVulnerabilityCheck(true)),
+          xml(
+            //language=xml
+            """
+              <Project ToolsVersion="4.0" DefaultTargets="FullPublish" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+                <ItemGroup>
+                  <PackageReference Include="curl" Version="7.13" />
+                </ItemGroup>
+              </Project>
+              """,
+            //language=xml
+            """
+              <Project ToolsVersion="4.0" DefaultTargets="FullPublish" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+                <ItemGroup>
+                  <!--~~(This dependency has the following vulnerabilities:
+              CVE-2018-1000120 (CRITICAL severity) - curl FTP path confusion leads to NIL byte out of bounds write)~~>--><PackageReference Include="curl" Version="7.13" />
+                </ItemGroup>
+              </Project>
+              """,
+            spec -> spec.path("MyFirst.csproj")
+          )
+        );
+    }
+
+    @Test
+    void notVulnerableOnOlderVersion() {
+        rewriteRun(
+          spec -> spec.recipe(new DependencyVulnerabilityCheck(true)),
+          xml(
+            //language=xml
+            """
+              <Project ToolsVersion="4.0" DefaultTargets="FullPublish" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+                <ItemGroup>
+                  <PackageReference Include="System.Linq.Dynamic.Core" Version="1.0.6" />
+                </ItemGroup>
+              </Project>
+              """,
+            spec -> spec.path("MyFirst.csproj")
+          )
+        );
+    }
+
+    @Test
+    void vulnerableOnMinimumVersion() {
+        rewriteRun(
+          spec -> spec.recipe(new DependencyVulnerabilityCheck(true)),
+          xml(
+            //language=xml
+            """
+              <Project ToolsVersion="4.0" DefaultTargets="FullPublish" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+                <ItemGroup>
+                  <PackageReference Include="System.Linq.Dynamic.Core" Version="1.0.7.10" />
+                </ItemGroup>
+              </Project>
+              """,
+            //language=xml
+            """
+              <Project ToolsVersion="4.0" DefaultTargets="FullPublish" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+                <ItemGroup>
+                  <!--~~(This dependency has the following vulnerabilities:
+              CVE-2023-32571 (CRITICAL severity, fixed in 1.3.0) - Dynamic Linq vulnerable to remote code execution)~~>--><PackageReference Include="System.Linq.Dynamic.Core" Version="1.0.7.10" />
+                </ItemGroup>
+              </Project>
+              """,
+            spec -> spec.path("MyFirst.csproj")
+          )
+        );
+    }
 }